Android Taint Flow Analysis for App Sets Will Klieber*, Lori Flynn, - PowerPoint PPT Presentation

Android Taint Flow Analysis for App Sets Will Klieber*, Lori Flynn, Amar Bhosale , Limin Jia, and Lujo Bauer Carnegie Mellon University *presenting

Motivation  Detect malicious apps that leak sensitive data.  E.g., leak contacts list to marketing company.  “All or nothing” permission model.  Apps can collude to leak data.  Evades precise detection if only analyzed individually.  We build upon FlowDroid .  FlowDroid alone handles only intra-component flows.  We extend it to handle inter-app flows. 2

Introduction: Android  Android apps have four types of components :  Activities (our focus)  Services  Content providers  Broadcast receivers  Intents are messages to components.  Explicit or implicit designation of recipient  Components declare intent filters to receive implicit intents.  Matched based on properties of intents, e.g.:  Action string (e.g., “ android.intent.action.VIEW ”)  Data MIME type (e.g., “ image/png ”) 3

Introduction  Taint Analysis tracks the flow of sensitive data.  Can be static analysis or dynamic analysis.  Our analysis is static.  We build upon existing Android static analyses:  FlowDroid [1]: finds intra-component information flow  Epicc [2]: identifies intent specifications [1] S. Arzt et al., “FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps”. PLDI , 2014 . [2] D. Octeau et al., “Effective inter-component communication mapping in Android with Epicc: An essential step towards holistic security analysis”. USENIX Security , 2013 . 4

Our Contribution  We developed a static analyzer called “ DidFail ” (“Droid Intent Data Flow Analysis for Information Leakage”).  Finds flows of sensitive data across app boundaries.  Source code and binaries available at: (or google “DidFail SOAP”) http://www.cert.org/secure-coding/tools/didfail.cfm  Two-phase analysis: 1. Analyze each app in isolation. 2. Use the result of Phase-1 analysis to determine inter-app flows.  We tested our analyzer on two sets of apps. 5

Terminology Definition. A source is an external resource (external to the app, not necessarily external to the phone) from which data is read. Definition. A sink is an external resource to which data is written. For example,  Sources : Device ID, contacts, photos, current location, etc.  Sinks : Internet, outbound text messages, file system, etc. 6

Motivating Example  App SendSMS.apk sends an intent (a message) to Echoer.apk , which sends a result back. SendSMS.apk Echoer.apk Device ID (Source) getIntent() startActivityForResult() onActivityResult() setResult() Text Message (Sink)  SendSMS.apk tries to launder the taint through Echoer.apk.  Existing static analysis tools cannot precisely detect such inter-app data flows. 7

Analysis Design  Phase 1 : Each app analyzed once, in isolation.  FlowDroid: Finds tainted dataflow from sources to sinks.  Received intents are considered sources.  Sent intent are considered sinks.  Epicc: Determines properties of intents.  Each intent-sending call site is labelled with a unique intent ID .  Phase 2 : Analyze a set of apps:  For each intent sent by a component, determine which components can receive the intent.  Generate & solve taint flow equations. 8

Running Example src 1 Three components: C 1 , C 2 , C 3 . I 1 C1 = SendSMS C 1 sink 1 C2 = Echoer C 2 I 3 src 3 C3 is similar to C1 C 3 sink 3 • sink 1 is tainted with only src 1 . • sink 3 is tainted with only src 3 . 9

Running Example src 1 I 1 C 1 sink 1 C 2 I 3 src 3 C 3 sink 3 Notation: 10

Running Example src 1 I 1 C 1 sink 1 C 2 I 3 src 3 C 3 sink 3 Notation: 11

Running Example src 1 I 1 C 1 sink 1 C 2 I 3 src 3 C 3 sink 3 Final Sink Taints: • T(sink 1 ) = {src 1 } Notation: • T(sink 3 ) = {src 3 } 12

Phase-1 Flow Equations Analyze each component separately. Phase 1 Flow Equations : src 1 C 1 sink 1 C 2 src 3 C 3 sink 3 Notation • An asterisk (“ ∗ ”) indicates an unknown component. 13

src 1 Phase-2 Flow Equations I 1 C 1 sink 1 C 2 Instantiate Phase-1 equations for all I 3 src 3 possible sender/receiver pairs. C 3 sink 3 Phase 1 Flow Equations : Phase 2 Flow Equations: Notation 14

src 1 Phase-2 Taint Equations I 1 C 1 sink 1 For each flow equation “src → sink”, C 2 I 3 src 3 generate taint equation “T(src) ⊆ T(sink)”. C 3 sink 3 Phase 2 Flow Equations : Phase 2 Taint Equations: Notation If s is a non-intent source, then T( s ) = { s }. 15

Phase 1 Epicc Original APK TransformAPK FlowDroid (modified) Extract manifest 16

Implementation: Phase 1  APK Transformer  Assigns unique Intent ID to each call site of intent-sending methods.  Enables matching intents from the output of FlowDroid and Epicc  Uses Soot to read APK, modify code (in Jimple), and write new APK.  Problem: Epicc is closed-source. How to make it emit Intent IDs?  Solution (hack): Add putExtra call with Intent ID. Phase 1 Epicc Original APK TransformAPK FlowDroid (modified) Extract manifest 17

Implementation: Phase 1  FlowDroid Modifications:  Extract intent IDs inserted by APK Transformer, and include in output.  When sink is an intent, identify the sending component.  In base.startActivity , assume base is the sending component. (Soundness?)  For deterministic output: Sort the final list of flows. Phase 1 Epicc Original APK TransformAPK FlowDroid (modified) Extract manifest 18

Implementation: Phase 2  Phase 2  Take the Phase 1 output.  Generate and solve the data-flow equations.  Output: 1. Directed graph indicating information flow between sources, intents, intent results, and sinks. 2. Taintedness of each sink. 19

Testing DidFail analyzer: App Set 1  SendSMS.apk  Reads device ID, passes through Echoer, and leaks it via SMS  Echoer.apk  Echoes the data received via an intent  WriteFile.apk  Reads physical location (from GPS), passes through Echoer, and writes it to a file 20

Testing DidFail analyzer: App Set 2 (DroidBench) Int3 = I( IntentSink2.apk, IntentSource1.apk, id3 ) Graph generated using GraphViz. Int4 = I( IntentSource1.apk, IntentSink1.apk, id4 ) Res8 = R(Int4) Src15 = getDeviceId Snk13 = Log.i Some taint flows : 21

Limitations  Unsoundness  Inherited from FlowDroid/Epicc  Native code, reflection, etc.  Shared static fields  Implicit flows  Currently, only activity intents  Bugs  Imprecision  Inherited from FlowDroid/Epicc  DidFail doesn’t consider permissions when matching intents  All intents received by a component are conflated together as a single source 22

Use of Two-Phase Approach in App Stores  We envision that the two-phase analysis can be used as follows:  An app store runs the phase-1 analysis for each app it has.  When the user wants to download a new app, the store runs the phase-2 analysis and indicates new flows.  Fast response to user. 23

DidFail vs IccTA  IccTA was developed (at roughly the same time as DidFail) by:  Li Li, Alexandre Bartel, Jacques Klein, Yves Le Traon (Luxembourg);  Steven Arzt, Siegfried Rasthofer, Eric Bodden (EC SPRIDE);  Damien Octeau, Patrick McDaniel (Penn State).  IccTA uses a one-phase analysis  IccTA is more precise than DidFail’s two-phase analysis.  Two-phase DidFail analysis allows fast 2nd-phase computation.  Future collaboration between IccTA and DidFail teams? 24

Conclusion  We introduced a new analysis that integrates and enhances existing Android app static analyses.  Demonstrated feasibility by implementing a prototype and testing it.  Two-phase analysis can be used by app store to provide fast response.  Future work:  Implicit flows  Static fields  Distinguish different received intents  Other data channels (file system, non-activity intents)  Etc. 25

Thank You